COMPUTERWORLD 


Should  the  White 
House  be  leading 
national  cybersecurity 
efforts?  PAGE  6 

Oracle's  plan  to  buy 
Sun  raised  a  lot  more 
questions  than  the 
vendor  was  willing 
to  answer,  page  io 

VMware  claims  it  has 
built  an  OS  for  virtual 
clouds.  That  may  not 
be  all  hype,  page  14 


Steven  J.  Vaughan- 
Nichols  says  that 
Microsoft  is  doing 
something  right. 

Well,  half  right,  page  is 


A  play-by-play 
on  how  one  IT 
shop  prepared  for 
Conficker.  page  33 


When  should  you 
bring  up  the  topic 
of  money  in  a  job 
interview?  page  36 


COMPUTERWORLD.COM 


Entrepreneur  Gregg  Favalora  talks  about  IT  breakthroughs  in 

3-D  medical  imaging  that  help  surgeons  zero  in  on  ‘where  to  snip.’ 

COMPUTERWORLD 


News  &  Analysis 


Opinion 


Introducing  an  approach  to  outsourcing 
that  isn't  merely  collaborative,  it's  synergistic. 
Beginning  with  a  deep  appreciation  for 
every  client's  unique  strategy,  Accenture  draws 
on  process  experience  gained  from  more 
than  650  outsourcing  engagements  in  more  than 
100  countries.  Result?  Processes  become  more 
efficient  and  productive.  And  that  can  help 
the  whole  organization  perform  as  one. 


Business  Process  Outsourcing 

•  Customer  Contact 

•  Finance  and  Accounting 

•  Fluman  Resources 

•  Learning 

•  Sourcing  and  Procurement 

•  Industry-specific  Services:  Airlines,  Insurance, 
Flealth,  Pharmaceuticals,  Utilities  and  more 


Application  Outsourcing 

•  Application  Development 

•  Enhancements  and  Upgrades 

•  Application  Maintenance  and  Support 

•  Testing  Services 

•  Capacity  Services 


Infrastructure  Outsourcing 

•  IT  Spend  Management 

•  Data  Center  Services 

•  Service  Desk 

•  Security  Services 

•  Network  Services 

•  Workplace  Services 


Visit  accenture.com/outsourcing 
Consulting  •  Technology  •  Outsourcing 


Outsourcing  for  High  Performance 

> 

accenture 

High  performance.  Delivered. 


■  SPECIAL  REPORT 


Inside 


COMPUTERWORLD  ■  APRIL  27.  2009 


■  NEWS  ■  DEPARTMENTS 

6  The  official  who  oversaw  a  federal  ®The  Grill:  Imaging  pioneer 

cybersecurity  review  says  the  Gregg  Favatora  talks  about -crys- 
White  House  should  load  public-  tal  tall”  3-D  Imaging,  breakthrough 

and  private-sector  initiatives.  |  Mi-  medical  applications  and  entrepre- 
crosoft  says  users  will  see  U  AC  neurial  best  practices. 


7AstudyftndsthatuslngH-1B 
workers  reduces  IT  salaries  by 

as  much  as  6%.  |  AMD  plans  to 
release  a  six-core  Opteron  chip  in 
June  and  offer  16  cores  by  2011. 


8  The  Pentagon,  which  signed  a 
$40  million  systems  order  with 
SGI  in  January,  is  watching  closely 
as  the  HPC  vendor  sells  its  assets. 


msi 


14  VMware  Looks  to  Bring 
Data  Centers  Under  the  Cloud. 

VMware  hopes  its  new  vSphere 
software  will  persuade  IT  managers 
to  virtualize  their  data  centers.  But 


33  Security  Manager's 
Journal:  Attention  to 
Conhcker  Seems  to  Pay 
Off.  The  notorious  worm  "  •  ; 
has  Mathias  Thurman’s  -  • 

security  team  putting  all  of  Wsi 
its  focus  on  protecting  the  company 
9.000  systems  around  the  globe. 


■  OPINION 

4  Editor's  Note:  Don  Tennant 

says  the  private  sector  must  be  a  full- 
fledged  combatant  in  any  cyberwar. 


18  Steven  J.  Vaughan-Nichols 

finds  that  Microsoft  is  actually  doing 
something  right  -  well,  half  right. 


iff  Vratci  Comput- 

emoiid  Premier 

MHH  100  IT  Leader 
Mark  Burnette 
discusses  how  to 

HB  keep  your  head 

while  your  co-workers  are  losing 
theirs  to  the  job-cutting  ax.  Plus, 
at  what  point  in  the  job  application 
process  should  you  bring  up  the 
touchy  subject  of  salary? 


34  Preston  Gralla  believes  that 
privacy  will  be  the  first  casualty  in  the 
era  of  cyberwarfare. 


38  Shark  Tank:  "I  am  a  phone  on 
a  smart  switch.  Temperature  rising. 

Must  shut  down.  Then  must 
Bk  send  out  alert  about 


40  Frankly  Speaking:  Frank 
Hayes  says  the  Oracle-Sun  deal  will 
give  Larry  Ellison  another  chance  to 
have  a  hit  with  appliances. 


01 


20 

INTERNET  WARFARE: 


20  Are  We  Focused  on 
The  Wrong  Things? 


More  than  seven  years  after  9/11.  federal  efforts  to  secure 
the  country’s  cyberinfrastructure  are  bogged  down  by  a 
lack  of  vision,  planning  and  leadership.  Here  are  six  steps 
the  new  administration  should  take  now. 


28  The  Fog  of  (Cyber)  War 

Cybermilitias,  black  hat  hackers  and  other  non-nation¬ 
state  bad  guys  obscure  the  battlefield.  How  do  you  stop  an 
enemy  you  can't  identify? 


■  EDITOR’S  NOTE 

Don  Tennant 


Whatever  It  Takes 


IN  THE  FILM  State  of  Play,  a  thriller  now  playing  in  a 
theater  near  you,  the  bad  guys  are  tied  to  a  Blackwater¬ 
like  security  contractor  called  Point  Corp.  The  contrac¬ 
tor  is  out  to  make  a  killing,  so  to  speak,  by  persuading 
congressional  leaders  to  outsource  homeland  security  to  the 


private  sector.  Billions  of 
dollars  in  potential  con¬ 
tracts  are  at  stake,  so  the 
bad  guys  are  determined 
to  do  whatever  it  takes. 

Back  in  the  real  world, 
the  U.S.  House  Commit¬ 
tee  on  Homeland  Security 
doesn’t  have  to  deal  with 
Point  Corp..  but  it  certainly 
has  its  hands  full  As  Jai- 
kumar  Vijayan  reports  in 
this  week's  special  report 
on  Internet  warfare  (page 
20),  the  committee  held  a 
hearing  last  month  on  U.S. 
readiness  to  counter  the 
cyberwarfare  threat.  Five 
witnesses  representing  the 
government  and  the  pri¬ 
vate  sector  testified.  Asked 
whether  they  felt  the  federal 
government  is  prepared  to 
deal  with  a  cybercatastro¬ 
phe,  each  said  no. 

If  that  prompts  you  to 
point  a  finger  at  the  govern¬ 
ment,  don’t  be  too  quick  to 
condemn  bureaucratic  in¬ 
competence.  The  question 
of  whether  the  government 
is  prepared  for  a  cyber¬ 
catastrophe  is  the  wrong 

of  whether  the  federal  gov- 
a  matter  of  whether  we  as 


a  nation  are  prepared.  We 
can't  dump  this  one  on  the 
government. 

That’s  not  to  say  that  the 
answer  lies  in  outsourcing 
cyberdefense  to  the  likes  of 
a  private-sector  firm  such 
as  Point  Corp.  What  we 
need  to  understand  is  that 
whereas  national  defense  is 
fundamentally  the  domain 
of  government  in  tradition¬ 
al  warfare,  in  cyberwarfare 
it  is  at  least  as  much  the 
domain  of  the  private  sec¬ 
tor.  The  reason:  We're  all 
standing  squarely  in  the 
line  of  fire.  The  private 
sector  is  no  longer  simply 
a  supplier  to  or  supporter 
of  our  national  defense  ef¬ 
forts.  It’s  now  a  full-fledged 
combatant  in  the  war. 

When  the  news  broke 
last  week  that  hackers  had 
breached  the  Pentagon’s 
F-35  Joint  Strike  Fighter 

■  The  private 
sector  is  no  longer 
simply  a  supplier 
and  supporter.  It’s 
now  a  full-fledged 
combatant  in 
the  war. 


project,  the  security  of 
Defense  Department  sys¬ 
tems  was  only  part  of  the 
story.  According  to  The 
Wall  Street  Journal,  which 
cited  sources  who  had 
been  briefed  on  the  matter, 
the  hackers  succeeded  in 
breaching  the  systems  by 
penetrating  the  networks 
of  two  or  three  contrac¬ 
tors.  Lockheed  Martin  is 
the  lead  contractor  on  the 
project,  with  Northrop 
Grumman  and  BAE  Sys¬ 
tems  playing  major  roles, 
the  Journal  reported. 

More  to  the  point, 
private-sector  combatants 
aren’t  limited  to  companies 
in  the  defense  industry 
but  are  found  in  multiple 
industries  that  constitute 
our  nation’s  critical  infra¬ 
structure.  Reports  earlier 
this  month  that  the  power 
grid  had  been  penetrated 
by  hackers,  possibly  from 
China  and/or  Russia, 
raised  plenty  of  eyebrows 
but  seemed  largely  forgot¬ 
ten  by  the  next  news  cycle. 

Given  that  our  critical 
infrastructure,  from  energy 
and  utilities  to  health  care 
and  financial  services,  is 
owned  and  operated  almost 


entirely  by  the  private  sec¬ 
tor,  it’s  nonsensical  to  think 
that  we  can  leave  it  to  the 
federal  government  to  fight 
our  cyberwar.  I  recently 
discussed  this  topic  with 
Paul  Kurtz,  former  senior 
director  for  critical  infra¬ 
structure  protection  on  the 
White  House’s  Homeland 
Security  Council,  who  said 
the  government  is  properly 
and  necessarily  focused  on 
securing  its  own  data  first. 

“To  me,  what  that  under¬ 
scores  is  that  the  private 
sector  can’t  wait  for  govern¬ 
ment,”  Kurtz  said.  He  cited 
the  energy  sector  as  espe¬ 
cially  lax,  but  he  stressed 
that  he's  concerned  about 
"high-tech  areas  —  pharma¬ 
ceuticals,  biogenetics,  IT, 
alternative  energy,  aviation 
—  that  are  going  to  fuel 
our  economic  growth  over 
the  long  haul  That’s  our 
future,"  Kurtz  said.  “And 
we’re  losing  it  every  day  be¬ 
cause  they’re  not  adequately 
securing  their  systems.” 

The  government’s  task  is 
to  mobilize  the  private  sec¬ 
tor  —  by  means  of  tax  in¬ 
centives,  loans  or  whatever 
fiscal  devices  make  sense  — 
to  fight  the  cyberwar.  Then 
the  private  sector  needs 
to  do  whatever  it  takes 
to  fight  it  and  win.  That's 
what  combatants  do.  ■ 

Don  Tennant  is  Computer- 
world's  senior  edit or- 
at-large.  You  can  contact 
him  at  don_tennant@ 
computerworld.com, 
visit  his  blog  at  http:// 
blogs.computerworld.com/ 
tennant,  and  follow  him  on 
Twitter  at  http://twitter. 
com/dontennant. 


ONLINE  CHATTER  ■ 


‘Mafiaboy’  Spills  the 
Beans  at  IT360  on 
Underground  Hackers 

April  14, 2009 


and  give  him/her  the  keys  to  the 
kingdom  the  first  day. 

■  Submitted  by:  Striker 


P.O.  Box  9171, 1  Speen  Street 
Framingham.  MA  01701 
(508)  879-0700 


Jidia  King  (events) 

Managing  EdHore  Michele  Lee  DeFdippo 
(production),  Sharon  Machlis  (online). 

Ken  Hingis  (news) 


Features  Editors  Kathleen  Melymuka. 
Valerie  Potter,  Ellen  Fanning  (special  reports). 
Barbara  Krasnoff  (reviews) 


Begetters  Sharon  Gaudin.  Matt  Hamblen. 
Gregg  Keizer.  Eric  Lai.  Lucas  Mearian. 

Patrick  Thibodeau.  Jaikumar  Vijayan 

Futurrn  Writer,  Video  Editor  David  Ramei 


April  Montgomery 


Study  Finds  H-1B  Use  Cuts 
Tech  wages  by  Up  to  6% 

Tl  | 

workers  by  U.S.  H  I  I  >  ^H 
companies  is  de-  HI  Id  I  I  ^H 
creasing  wages  by  H  ■  M  I  | 


PROCESSORS 

AMD  to  Ship  Six-Core  Chip  in 
June,  Plans  16  Cores  by  2011 

Advanced  Micro  Devices  Inc.  ;  bul,  will  provide  up  to  a  30% 

Opteron  Road  Map 

ii§i*r 

;  which  released  its  six-core 

1  Xeon  7400  server  chip  last 
i  September  and  plans  to  add 
!  an  eight-core  processor  code- 
!  named  Nehalem  EX  next  year. 

last  week  said  it  will  release  ;  performance  boost  over  current 

a  six-core  Opteron  processor  :  quad-core  Opterons  while  using 
in  June,  five  months  ahead  of  1  the  same  amount  of  power, 
schedule.  And  it  detailed  plans  1  Istanbul  w«  be  followed  early 
to  add  chips  supporting  up  to  12  ;  next  year  by  a  chip  code-named 

;  Intel  “dearly  has  seized  the 
;  performance  advantage’ in 

I  the  server  market,  he  said,  but 

1  AMO  officials  think  Istanbul 
|  “will  keep  them  very  competi- 
i  tive  over  the  next  year,  and  then 

cores  next  year  and  16  In  2011.  [  Magny-Cours,  which  will  ship  In 
AMD.  which  reported  a  ;  eight- and  12-core  models.  AMD 

S416  million  first-quarter  loss  |  said.  And  in  2011,  the  company 
last  week,  said  the  six-core  1  plans  to  release  a  processor 

server  chip,  code-named  Istan-  \  called  Intertagos,  which  will  be 

offered  with  12  and  16  cores. 

Insight64  analyst  Nathan 
Brookwood  said  AMD  is  try¬ 
ing  to  get  ahead  of  Intel  Corp., 

;  going  to  12  cores  in  2010  will 
;  keep  them  competitive  when 

1  Intel  comes  out  with  eight.' 

!  -PATRICK  THIBODEAU 

APRIL  27. 2000  C0MPUTERW0RL0  7  j 

■  NEWS  DIGEST 


BETWEEN 


that  SGI's  “financial  situa- 

would  have  liked"  in  January. 
But,  he  added,  the  Pentagon 
went  ahead  with  the  multi¬ 
year  contract  that  month  for 
six  systems  because  it  be¬ 
lieved  that  the  company  was 
still  “financially  responsive.” 

Now  the  DOD  is  watching 
the  situation  closely.  Henry 
said  he  expects  “significant 
uncertainty"  until  the  end  of 
May,  which  is  when  Rack- 
able  expects  to  complete 
the  asset  purchase.  But  both 
companies  “tell  us  they  are 
committed  to  maintaining 
the  systems  we  purchased 
in  prior  years  and  delivering 
the  systems  we  ordered  for 
delivery  this  year,”  he  said. 

The  first  of  the  Xeon- 
based  Altix  systems  that  the 
Pentagon  ordered  from  SGI 
is  scheduled  to  be  delivered 
this  month.  The  machines 


ter.  The  company  had 
already  carried  out  a  layoff  of 
2,000  workers  that  was  an¬ 
nounced  late  last  year. 


sales  fell  27%  to  €1.74  billion 
<*2.28  billion  USJfrMt 
€2.7  billion  a  year  earlier,  and 
that  unit  shipments  dropped 


poor  performance  to  weak  con- 


In  new  orders  from  retailers. 
Nancy  Oohrfng, 

IDG  News  Service 

Tata's  Profit  Drops 
KJ.1%  to  51.12B 


tancy  Services  Ltd.  last  week 
reported  that  Hs  fiscal  2009 
profit  fell  by  10.1%  to  $1.12  bil- 


sourcer.  employed  143,761 
people  at  the  close  of  Its  fiscal 
yearonMarch31.up32.3fi4 
from  a  year  earlier. 


IDG  News  Service 


Two  trade  groups  -  the  Pan- 


Association  for  Competitive 


European  Commission's  ana- 
trust  case  against  Microsoft 
Corp.  The  EC  contends  that 
Microsoft's  bundling  of  the 


•  WEEK 


Sony  Ericsson  Cuts 
2,000  More  Jobs 

-  Struggling  Sony 
Ericsson  Mobile  Communica¬ 
tions  AB  earlier  this  month  an¬ 
nounced  plans  to  cut  another 
2.000  iobs  after  reporting 
that  its  shipments  and  market 
share  dipped  during  the  first 
quarter.  The  company  had 
already  carried  out  a  layoff  of 

nounced  late  last  year. 

The  cell  phone  manufac¬ 
turer.  based  here,  had  reported 
on  April  16  that  its  first-quarter 


Tata’s  Profit  Drops 
10.1%  to  S1.12B 

Mi  <M8  Al  -Tata  Consul¬ 
tancy  Services  Ltd.  last  week 
reported  that  its  fiscal  2009 
profit  fell  by  10.1%  to  Sl.12  bil¬ 
lion.  on  revenue  that  rose  6% 
to  $6  billion. 

Tata’s  chief  operating  of¬ 
ficer.  N.  Cbandrasekaran.  said 
Indian  outsourcers  are  facing  a 
slowdown  in  business  because 
clients  are  postponing  discre¬ 
tionary  projects  and  trying  to 
renegotiate  existing  contracts. 


SGI  Sale  Puts  Pentagon  on 
Guard  Over  S40M  Order 


TRANSACTIONS 

FAST 

TIME-TO-VALUE 

FASTER. 


CA  Wily  Application  Performance  Management  is  designed  to 
improve  the  performance  and  availability  of  mission  critical  and 
revenue-generating  applications.  So  you  can  quickly  spot  and 
correct  online  production  application  incidents  before  they 
become  customer  problems  — especially  in  complex  and  high 
volume  transaction  environments.  That's  the  power  of  lean. 


Learn 


at  ca.com/apm 


■  NEWS  ANALYSIS 


Oracle  Leaves ’Em  Wanting 
More  on  Its  Plans  for  Sun 


The  software  vendor  hasn’t  said  much  about  executives  d^t  take  any 

.  ,  ,  -  i  r  i  •  ry  tt  questions  about  their  plan: 

what  it  mtends  to  do  after  buying  Sun.  Users  leaving  the  details  w  be 
are  waiting  for  answers.  By  Patrick  Thibodeau  And  that  leaves  some  Su 


Oweek  that  it  plans 
to  buy  Sun  Micro¬ 
systems  Inc.  raised  ques¬ 
tions  about,  well,  almost 
every  aspect  of  the  block¬ 
buster  deal  that  would  unite 
two  Silicon  Valley  icons. 

The  only  sure  bets  are 
that  Oracle  sees  benefits  in 
acquiring  Java  and  the  So- 


off  in  order  to  meet  Oracle’s 
ambitious  profit  goals. 

It’s  unclear,  though,  what 
will  happen  to  the  Java 
Community  Process  and 
Sun’s  other  open-source 
technologies,  such  as  the 
MySQL  database.  The  same 
goes  for  the  Sun-dominated 
OpenOffice.org  application 
suite  and  its  Sun-owned 
commercial  cousin,  Star- 


MThe  Solaris 
operating 
system  is  by  far 
tne  best  Unix  tech¬ 
nology  available 
in  the  market. 


ers  is  how  the  deal  with  af¬ 
fect  their  service  and  support. 
In  a  brief  conference  call 


concerned  that  Oracle  will 
"undermine  the  Sun  cul¬ 
ture”  and  reduce  the  quality 
of  customer  service.  If  that 
happens,  he  said,  the  justifi¬ 
cation  for  paying  Sim’s  pre¬ 
mium  prices  will  disappear. 

Alex  Wingeier,  chief  tech¬ 
nical  officer  at  CLR  Choice 
Inc.,  a  Palm  Coast,  Fla., 
company  that  has  developed 
a  real  estate  search  engine, 
said  that  he  and  other  mem¬ 
bers  of  his  IT  team  also 
have  concerns  about  Oracle 
taking  over  Sun. 

“We  were  not  really  keen 
on  the  fact  that  Oracle  is 
buying  Java,  MySQL  and 
OpenOffice,”  Wingeier  said. 
“We  worry  that  they  quite 
possibly  could  stop  internal 


/  ■* 
4  * 

J"  * 


U* 


Fujitsu  servers  keep  her  data 
as  fresh  as  her  produce. 


FUJITSU 


►  See  how  Fujitsu  makes  produce  more 
productive  at: 


Itanium 


Mission 

Critical 


Everything  you  need  to  sit  on  top 
of  the  mission-critical  food  chain. 


noveH.com/evolution 


Novell 

Making  IT  Work  As  One ' 


i  *  * 

* 


■  NEWS  ANALYSIS 


■  THE  GRILL 

Gregg  Favalora 

The  optics  pioneer  talks  about 
‘crystal  ball’  3-D  imaging,  break¬ 
through  medical  applications, 
and  entrepreneurial  best  practices. 

prostate  cancer  treatment.  Using  a 
[traditional]  display  and  ultrasound 
data  from  the  operating  room,  our  en¬ 
gineers  are  analyzing  prostate  imagery 
to  train  a  computer  to  help  doctors 
better  place  the  100  radioactive  "seeds" 
used  in  prostate  brachytherapy.  This  is 
a  big  deal.  We  believe  we  can  radically 
decrease  the  side  effects  of  common 
cancer  treatments. 

Which  type*  of  cancer  are  your  products 
most  successful  in  working  with,  and  why 
is  this  technology  superior  to  other  types 
of  3-0  imaging  software?  We  believe 

APRIL  27. 2009  COMPUTEIIWOULD  15 

■  THE  GRILL  I  GREGG  FAVALORA 


to  help  doctors  link 
their  surgical  plans 
to  the  actual  shape 
of  the  tumors  in  the 
operating  room. 


patients  [will  have]  fewer  side  effects. 

The  device  closely  resembles  a  crystal 
ball.  It  the  image  live?  Can  you  move  it 
around  In  real  time  on  the  screen  while 
the  patient  Is  present?  Our  Perspecta 
product  is  an  unusual  type  of  display. 
The  imagery  it  produces  really  is 
volume-filling,  so  you  can  walk  all  the 
way  around  it  to  inspect  the  3-D  scenes 
from  any  angle  with  your  unaided  eye. 
You  can  manipulate  the  image,  say,  to 
zoom  in  and  out  or  figure  out  how  one 
molecule  could  dock  into  another.  The 
imagery  is  formed  by  projecting  6,000 
patterns  of  light  onto  a  special  sur¬ 
face  that  rotates  very  rapidly.  It  took 
us  several  years  to  design  the  optics 
and  software  that  makes  it  all  happen. 
Gigabytes  of  data  flow  through  the 
system  every  second,  which,  when  we 
introduced  it  in  2001,  was  unusual.  It  is 
a  100  million-pixel  display. 

How  does  currant  technology  limit  what 
you're  able  to  accomplish?  I'm  glad  you 
asked  that.  2009-era  PCs  are  barely 
powerful  enough  to  crunch  large  vol¬ 
umes  of  3-D  data  at  interactive  rates. 
We’ve  been  dealing  with  this  issue  by 
using  the  PCs'  video  cards  —  GPUs 
—  as  inexpensive  embedded  parallel 
processors.  Thanks  to  GPUs  like  the 
Nvidia  GeForce  8800,  we  can  slice  and 
dice  ultrasound  and  CT  scan  data  in 
real  time.  However,  we  can  certainly 
use  even  more  power  if  it's  provided. 
Likewise,  our  holographic  video  dis¬ 
plays  will  improve  as  digital  light  mod¬ 
ulators,  like  the  Texas  Instruments 
DLP  technology,  become  faster. 

What  is  the  next  big  leap  for  medical 
technology  in  general?  I  hope  to  see 
major  advances  in  the  fields  of  medical 


What  are  some  of  the  obstacles  you  face 
with  running  a  start-up  in  such  a  com¬ 
petitive  industry?  Fortunately,  we  are 
the  only  company  in  the  world  selling 
volumetric  3-D  displays.  We  face  a  big¬ 
ger  challenge  in  our  medical  device/ 
software  work,  where  we’re  up  against 
the  global  medical  players.  We  main¬ 
tain  an  aggressive  patent  portfolio,  hire 
very  bright  people  and  make  sure  our 
engineers  spend  plenty  of  time  watch¬ 
ing  cases  in  the  OR  so  we  build  things 
our  customers  will  find  useful. 

Right  now,  we’re  trying  to  crack  a 
10-year-old  problem  of  detecting  me¬ 
tallic  seeds  in  prostate  patients,  and 
I  feel  really  good  that  our  contrarian 
solution  will  be  a  winner.  We’ll  know 

Do  you  find  it  challenging  to  be  both  a 
businessman  and  an  optical  engineer?  Yes, 
that’s  tugged  at  me  for  a  while.  Although 
I  have  entrepreneurial  DNA,  there  are 
times  when  I  prefer  to  be  in  the  lab  or  at 
my  notebook  doing  R&D.  Also,  young 
entrepreneurs  take  an  unusual  career 
risk  of  “leapfrogging”  over  the  tradi¬ 
tional  apprenticeship  path;  instead,  we 
manage  teams  of  brilliant  people  who 
do  things  we've  never  personally  done. 

I  do  think  it’s  valuable  that  seeing 
the  business  side  informs  the  engineer¬ 
ing  effort,  and  vice  versa. 

What  advice  do  you  have  for  other  aspir¬ 
ing  young  innovators?  I  love  the  feelings 
of  solving  engineering  problems  and 
achieving  big  milestones,  but  for  some 
reason,  my  brain  always  ratchets  to 
the  next  difficulty-goal  level  before 
I  have  a  chance  to  enjoy  what  we’ve 
accomplished. 

Advice?  Talk  to  real  customers,  in 
person,  starting  as  early  in  the  game 


Microsoft 


#  • 


Announcing  a  shocking  development 
in  data  management. 


SQLServerEnergy.com 


SQLServer 


EVER  SINCE  Bill  Gates  stepped  down  and  Steve 

Ballmer  took  over  his  role,  Microsoft  has  been  get¬ 
ting  one  thing  after  another  wrong.  Vista  continues 
to  be  a  disaster  both  for  users  and  for  the  company’s 
bottom  line.  And  Microsoft’s  ad  campaign  last  year,  starring 
Gates  and  Jerry  Seinfeld,  is  already  a  model  of  how  not  to  do 


of  test  boxes,  and  it’s  not  aU 
that  great  It's  better  than 
Vista,  but  that’s  really  not 
saying  much.  For  my  mon¬ 
ey,  XP  SP3  is  still  the  best  of 
the  Windows  family.) 

Finally,  Microsoft  has 
also  come  up  with  a  win¬ 
ning  set  of  TV  ads.  The 


the  point  that  PCs  really 
are  cheaper  than  Apple’s 
proprietary  hardware. 
However,  if  you’re  a  think- 


COMPUTERWORLD 


Attend  the  world’s 
largest  event  for 
storage,  data  center, 
infrastructure,  and 
business  continuity. 

At  SNW.  you  can  choose  from  over  150  educational 
sessions  and  network  with  peers  from  around  the  globe, 
plus  visit  with  top  solutions  providers  in  the  world's  largest 
Expo  devoted  to  storage  and  related  technologies.  This  is 
your  opportunity  to  quickly  gather  reliable,  firsthand, 
practical  knowledge  you  can  put  to  work  right  away. 

SNW  is  where  you  can  learn,  share  experiences  and  make 
decisions.  Join  your  peers  and  industry  experts  this 
October  in  Phoenix! 


COMPUTERWORLD  SIMIA* 

SNW 

October  12-15,  2009 

JW  Marriott  Desert  Ridge,  Phoenix,  Arizona 


www.snwusa.com 


nts  already  penetrated  U.S  gov- 
and  private  networks  or  are 
vely  engaged  in  doing  so. 
lost  of  the  efforts  are  focused  on  pil- 
ng  secrets  from  public  and  private  IT 
organizations  and  appear  to  be  profit- 
or  espionage-related.  A  report  released 
in  March  by  the  University  of  Toronto 
and  think  tank  The  SecDev  Group 
showed  how  a  group  with  apparent  ties 
to  China  has  methodically  breached 


patently  for  espionage  purposes.  At  the 


A  lack  of  vision  and  leadership  have 
left  the  U.S.  woefully  unprepared  for  a 
cybercatastrophe.  By  Jaikumar  Vijayan 


INTERNET  WARFARE: 


■  SPECIAL  REPORT 


WHY  PREVIOUS 
POLICIES  FAILED 


President  Barack  Obama  has  prom¬ 
ised  to  make  cybersecurity  a  top  pri¬ 
ority.  In  a  January  report.  Forrester 
Research  Inc.  analyst  Khalid  Kark 
examined  why  the  previous  adminis¬ 
tration's  policies  were  “outdated  and 
not  in  line  with  the  realities  of  today's 
complex  and  targeted  threats"  and 
found  the  following  problems: 

Lack  of  leadership.  The  idea  of  a 
cybersecurity  czar  reporting  up  to  the 
president  sounds  good,  but  the  previ¬ 
ous  three  people  in  this  position  did 
not  last  very  long.  The  last  was  Rich¬ 
ard  Clark,  who  was  the  special  adviser 
to  the  president  on  cybersecurity.  The 
U.S.  government  hasn't  had  a  clear 
leader  in  that  position  since  2003. 

Lack  of  coordination  among 


According  to  Yoran  and  several 
other  experts  in  industry  and  govern¬ 
ment.  the  feds  need  to  do  the  following 
key  things  in  the  near  term. 

IMPLEMENT  STRONG  LEADERSHIP 

If  the  national  information  security 
agenda  seems  like  a  ship  adrift  on  the 

lysts  say  that's  because  there’s  no  one  at 
the  helm  —  or  at  least  no  one  who  has 


among  them.  It  is  generally  assumed 
that  the  Department  of  Homeland  Se¬ 
curity  has  the  mandate  to  run  cross- 
industry  cybersecurity  initiatives,  but 
in  reality,  the  DHS  has  trouble  coordi¬ 
nating  its  own  internal  efforts. 

No  input  from  the  private  sector. 
The  strategy  for  cybersecurity  has  been 
developed  primarily  by  the  intelligence 
community  within  the  U.S.  government, 
which  has  a  very  different  perspective 
than  the  commercial  sector.  The  private 
sector  should  not  only  be  at  the  table, 
but  in  many  cases,  it  should  also  be 
leading  the  discussions  and  develop¬ 
ing  solutions  that  can  be  applied  in 
both  the  private  and  public  sectors. 

Lack  of  information-sharing.  "• 
Government  cybersecurity  initiatives 
have  largely  been  isolated  from  the 
private  sector.  Many  assessments 
and  initiatives  are  classified  and  can't 
be  shared  with  the  private  sector, 
which  could  provide  valuable  input 
and  even  help  in  the  execution  of 
some  of  those  activities. 


der  needed  to  steer  a  steady  course. 

On  paper  at  least,  the  DHS  is  respon¬ 
sible  for  overseeing  information  security 
across  the  federal  government.  But 
for  most  of  its  existence,  the  agency's 
leadership  on  such  issues  has  been  con¬ 
spicuous  by  its  absence.  Even  where  it 
has  tried,  its  efforts  have  been  less  than 

The  National  Cyber  Security  Center 
(NCSC),  which  was  set  up  within  the 
DHS  in  January  2008  with  the  specific 
task  of  coordinating  information  se¬ 
curity  across  the  federal  government, 
has  so  far  failed  to  get  off  the  ground. 

In  March,  its  first  director.  Rod  Beck- 
strom,  quit  the  post  after  just  a  year  on 
the  job.  citing  a  lack  of  support  from 
within  the  DHS  and  turf  w'ars  with  the 
National  Security  Agency. 

At  the  time  Beckstrdm  quit,  the 
NCSC  had  almost  no  funding  for  its 
task,  just  two  employees  and  two 
"detailees”  from  the  NSA.  "If  you  are 
going  to  run  a  major  coordination  ef¬ 
fort.  you've  got  to  have  the  resources  to 
build  that  capability,"  Beckstrom  said  at 
the  time,  adding  that  "the  financial  con-, 
straints  which  have  been  placed  upon 
the  NCSC  are  simply  ridiculous  and 
leave  the  nation  vulnerable  to  attack." 

The  NSA,  which  is  in  charge  of  the 
Comprehensive  National  Cybersecu¬ 
rity  Initiative  (CNCI),  has  been  jostling 
for  broader  control  of  the  federal  in¬ 
formation  security  agenda.  But  while 
almost  everyone  acknowledges  that 
the  NSA  can  bring  the  skills,  experi¬ 
ence  and  clout  needed  to  do  the  job, 
the  prospect  of  a  spy  agency  running 
the  domestic  cvberagenda  does  not  sit 
well  with  security  watchdogs. 

Rather,  the  role  of  setting,  over¬ 
seeing  and  coordinating  a  national 
information  security ; 
rest  directly  with  the 


M  The  financial 

constraints  which 
have  been  placed  upon  the 
NCSC  are  simply  ridiculous 
and  leave  the  nation 
vulnerable  to  attack. 


International  Studies  (CSIS).  a  biparti¬ 
san  Washington  think  tank,  and  other 
organizations.  Then  the  DHS  and 
other  federal  agencies  could  work  with 
a  White  House  office  of  cyberspace  to 
roll  out  and  manage  security  policies. 

Unlike  the  DHS,  “the  White  House 
has  the  authority  to  make  agencies 
act.' "  says  Gregory  Wilshusen.  direc¬ 
tor  of  information  security  issues  at 
the  U.S.  Government  Accountability 
Office.  Establishing  White  House  re¬ 
sponsibility  would  ensure  that  stake¬ 
holders  cooperated  in  marshaling  the 
resources  needed  to  implement  a  na¬ 
tional  cyberstrategy,  he  says. 

CREATE  A  NATIONAL  STRATEGY 
FOR  DEFENDING  CYBERSPACE 

Over  the  past  few  years,  billions  of  dol¬ 
lars  have  been  poured  into  cybersecurity 
across  the  federal  government.  The  in¬ 
vestments  have  yielded  numerous  scatter¬ 
shot  efforts,  such  as  a  rollout  of  smart  ID 


fer. 


CA  Security  Management  software  streamlines  your  IT  security 
environment  so  youi  business  can  be  more  secure,  agile  and 
compliant  without  upsizing  your  infrastructure.  All  with  faster 
time  to  value.  Greater  efficiency  starts  with  more  efficient  IT. 

Learn  more  at  ca.com/security 


3| 


Software 


■  SPECIAL  REPORT 


HOW  THE  NEW 
POLICIES  WILL 
DIFFER 


The  specifics  of  the  Obama  adminis¬ 
tration's  cybersecurity  strategy  are 
still  to  be  determined,  but  Forrester 
analyst  Khalid  Kark  says  that  early  in¬ 
dications  suggest  that  it  plans  radical 
changes  such  as  these: 

The  appointment  of  a  cybersecu¬ 
rity  czar.  This  person  will  coordinate 
and  communicate  governmentwide 
initiatives  and  be  accountable  for 
ensuring  the  protection  of  the  public 
and  private  infrastructures  that  are 
necessary  for  a  thriving  economy. 

Focus  on  commercial  informa¬ 
tion  assets.  One  of  the  major  battle¬ 
grounds  in  the  era  of  cyberwarfare  will 
be  private-sector  information  assets 
and  intellectual  property.  Despite  a 
number  of  cyberattacks  on  major  U.S. 
companies  that  can  be  traced  to  for¬ 
eign  countries,  the  government  hasn’t 
undertaken  a  concerted  effort  to  pro¬ 
tect  private-sector  information  assets. 

Expansion  of  cybersecurity  ef¬ 
forts  to  other  federal  agencies. 
While  the  U.S.  government  takes  pride 
in  the  way  it  protects  its  military  and 
intelligence  assets.jt  lacks  a  similar 
focus  on  protecting  information  within 
other  departments  against  a  coordi¬ 
nated  foreign  attack.  The  new  admin¬ 
istration  is  expected  to  make  other 
commercially  sensitive  agencies,  such 
as  the  Commerce  Department,  a  focal 
point  of  data  protection  efforts. 

Funding  for  security  research  and 

curity  initiatives  have  been  largely  re¬ 
active  so  far.  The  private  sector  funds 
projects  with  established  ROIs.  An 
initiative  may  not  have  a  solid  business 
case,  but  if  the  case  for  safeguarding 
sensitive  commercial  and  government 
targets  is  compelling,  the  effort  should 
be  funded  by  the  government.  The  new 
administration  has  promised  to  do  that. 


Continued  from  page  22 
protocols  and  the  highly  classified  CNCI 
to  boost  the  ability  of  government  to 
detect  and  respond  to  threats  and  se¬ 
curity  vulnerabilities  in  near  real  time. 

The  initiatives  are  expected  to  yield 
significant  benefits  down  the  road,  but 


most  pressing  needs  is  for  a  compre¬ 
hensive  national  security  strategy  that 
sets  the  agenda  for  how.  where,  when 
and  why  security  investments  need  to 
be  made  and  who  will  be  responsible 
for  such  initiatives.  The  strategy  will 
need  to  spell  out  baseline  standards  for 
entities  in  critical  infrastructure  areas. 

The  CSIS,  which  in  December  submit¬ 
ted  a  set  of  security  recommendations 
to  President  Obama,  argues  that  such 
a  strategy  would  require  the  govern¬ 
ment  to  declare  its  cyberinfrastructure 
a  vital  asset  for  national  and  economic 
security.  It  would  then  need  to  indicate 
its  willingness  to  use  all  of  the  tools  at 
its  disposal  —  including  diplomatic, 
economic,  military  and  intelligence 
capabilities  —  to  protect  that  asset. 

BUILD  A  CYBER-RESPONSE 
CAPABILITY 

In  1963.  soon  after  the  Cuban  Mis¬ 
sile  Crisis.  President  John  F.  Kennedy 


M  If  there’s  a 
fire  on  the 
Internet,  who’s  the 
hre  department? 


infrastructure  protection  on  the  \\ 
House's  Homeland  Security  Count 
Attacks  against  key  Internet  protoi 
and  routing  technologies  could  cat 
considerable  and  lengthy  disruptio 
Coordinating  a  response  could  inv 
numerous  stakeholders,  including  c 
ers.  Internet  service  providers,  tec! 
ogy  vendors  and  bodies  like  the  Intt 
Corporation  for  Assigned  Names  a 
Numbers,  says  Kurtz,  who  is  curreni 
partner  at  Good  Harbor  Consulting 
“In  the  old  days,  we  had  trucks  v 
SS7  network  switches  on  them  thai 
could  be  rolled  in  place  quickly  to  i 
connect  copper  networks,"  Kurtz  s 
“In  an  IP-based  world,  we  have  not 


I 


ura.  in.  One  of  the  major  battle¬ 
grounds  in  the  era  of  cyberwarfare  will 
be  private-sector  information  assets 
and  intellectual  property.  Despite  a 
number  of  cyberattacks  on  major  U.S. 
companies  that  can  be  traced  to  for¬ 
eign  countries,  the  government  hasn't 
undertaken  a  concerted  effort  to  pro¬ 
tect  private-sector  information  assets. 


its  disposal  —  including  diplomatic, 
economic,  military  and  intelligence 
capabilities  —  to  protect  that  asset. 

BUILD  A  CYBER-RESPONSE 
CAPABILITY 

In  1963,  soon  after  the  Cuban  Mis¬ 
sile  Crisis,  President  John  F.  Kennedy 
established  the  National  Communica- 


;  SS7  network  switches  on  them  that 
|  could  be  rolled  in  place  quickly  to  re- 
!  connect  copper  networks."  Kurtz  says. 
!  “In  an  IP-based  world,  we  have  not 
i  even  begun  to  scratch  the  surface  of 
;  how  we  would  restore  networks.” 

i  SECURE  TARGETS  IN  CRITICAL 
I  INFRASTRUCTURE  AREAS 


tions  System.  Its  task  was  to  work  with  <  A  “digital  Pearl  Harbor,”  in  which  ad- 


federal  agencies  and  private  industry  ;  versaries  take  down  large  swaths  of 


to  ensure  the  reliability  and  avail-  !  the  Internet,  is  a  possibility  that  needs 


While  the  U.S.  government  takes  pride 
in  the  way  it  protects  its  military  and 
intelligence  assets,  it  lacks  a  similar 
focus  on  protecting  information  within 
other  departments  against  a  coordi¬ 
nated  foreign  attack.  The  new  admin¬ 
istration  is  expected  to  make  other 
commercially  sensitive  agencies,  such 
as  the  Commerce  Department,  a  focal 
point  of  data  protection  efforts. 


ui  i-I(i|imi:iiI  cit  iris.  Government  se¬ 
curity  initiatives  have  been  largely  re¬ 
active  so  far.  The  private  sector  funds 
projects  with  established  ROIs.  An 
initiative  may  not  have  a  solid  business 
case,  but  if  the  case  for  safeguarding 
sensitive  commercial  and  government 
targets  is  compelling,  the  effort  should 
be  funded  by  the  government.  The  new 
administration  has  promised  to  do  that. 


ability  of  telecommunications  systems  !  to  be  prepared  for,  security  analysts 
during  emergencies.  During  the  9/11  !  say.  But  far  more  likely,  and  of  greater 

crisis,  the  NCS  played  a  crucial  role  in  <  concern,  are  more-focused  attacks 


The  Computerworld  Inner  Circle  Research  Panel  was  established  as  a  way 
for  members  of  the  IT  community  to  share  information  and  gain  insight  into 
various  technology  topics,  including  new  initiatives  and  top  issues  faced  by 
IT  professionals  and  executives. 

Inner  Circle,  panel  members  get  exclusive  access  to  results  of  the  surveys 
on  the  panel  site  at:  www.computerworldinnercircle.com.  and  are  eligible  for 
some  nice  cash  and  prize  giveaways  for  their  participation.  We  look  forward  to 
hearing  your  input! 

Join  for  Free! 

To  register  as  a  panel  member,  visit  www.computerworld.coin/haic 


■  SPECIAL  REPORT 


Continued  from  page  24 
years  to  connect  the  systems  that  are 
used  to  control  critical  equipment  to 
the  Internet  —  in  power  generation  and 
distribution,  water  treatment,  biotech, 
pharmaceuticals  and  transportation  —  is 
making  them  more  vulnerable  to  threats. 

This  was  demonstrated  in  2000. 
Wilshusen  says,  when  a  disgruntled 
employee  at  an  Australian  water- 
treatment  plant  released  about  264.000 
gallons  of  raw  sewage  into  nearby  riv¬ 
ers  and  parks  by  using  a  radio  transmit¬ 
ter  to  break  into  the  control  systems. 

In  August  2003.  a  computer  virus 
called  Sobig  managed  to  infiltrate  a 
control  system  at  CSX  Corp.'s  head¬ 
quarters  in  Florida  and  shut  down  rail¬ 
road  signaling  systems  up  and  down 
the  East  Coast  for  hours,  he  says. 

And  in  October  2006.  a  foreign 
hacker  broke  into  a  system  at  a  water 
filtration  plant  in  Harrisburg.  Pa.,  after 
an  employee's  laptop  computer  was 
compromised  via  the  Internet  and  then 
used  as  an  entry  point  to  install  mal¬ 
ware  on  the  plant's  computer  system. 

Although  almost  all  critical  infra¬ 
structure  systems  are  owned  by  the 
private  sector,  making  sure  they  are 
adequately  protected  should  be  a  gov¬ 
ernment  priority,  says  Wilshusen.  Not 
only  should  baseline  security  standards 
be  established  for  critical  infrastructure 
industries,  he  says,  but  there  should  also 
be  regulations  tor  enforcing  them  and  a 
strategy  for  sharing  information  about 
security  practices  and  other  matters  be¬ 
tween  the  private  and  public  sectors. 

USE  FEDERAL  PROCUREMENT 
POWER  TO  FORCE  BETTER 
SECURITY  FROM  VENDORS 

Having  served  as  the  de  facto  CIO  of 
the  federal  government  under  the  Bush 
administration.  Karen  Evans  knows  a 
lot  about  how  to  use  the  government's 
enormous  buying  power  to  force  tech¬ 
nology  vendors  to  improve  security. 
"When  you  spend  S71  billion  in  the  mar¬ 
ketplace.  you  should  be  very  clear  about 
what  your  requirements  are’’  and  ex¬ 
pect  vendors  to  abide  by  them,  she  says. 

One  place  where  the  government 
has  successfully  done  this  is  under  the 
Federal  Desktop  Core  Configuration 
(FDCC)  initiative,  in  which  it  is  work¬ 
ing  with  Microsoft  Corp.  and  other 
technology  vendors  to  ensure  that  all 


Windows  XP  and  Vista  desktops  deliv¬ 
ered  to  the  government  have  standard 
baseline  security  configurations.  Evans 
says  there's  no  reason  why  a  similar 
model  can't  be  implemented  to  also  get 
other  vendors  to  do  things  such  as  turn 
off  default  configurations  and  disable 
functions  that  create  security  risks 
before  products  are  delivered  to  agen¬ 
cies.  Implementing  security  language 
in  federal  acquisition  rules  is  much 
easier  than  forcing  regulations  down 
vendors'  throats,  she  says. 

Requiring  vendors  to  bake  in  securi¬ 
ty  and  centralizing  procurement  across 
the  government  could  also  bring  costs 
down  significantly,  says  Alan  Paller. 
director  of  research  at  the  SANS  Insti¬ 
tute,  a  training  and  certification  orga¬ 
nization  in  Bethesda,  Md.  “Right  now. . 
there's  enormous  inefficiency"  when  it 
comes  to  security  purchases,  he  says. 

DEVELOP  AN  OFFENSIVE 
CAPABILITY 

Patti  Titus,  t  he  former  chief  informa¬ 
tion  security  officer  at  the  Transporta¬ 
tion  Security  Administration,  is  among 
a  growing  number  of  executives  argu¬ 
ing  for  the  development  of  deterrent  ca¬ 
pabilities  in  cyberspace.  "What  we  need 
to  say  is,  'We  are  the  U.S.,  and  if  you 
mess  with  us,  you'd  better  be  careful.' " 
says  Titus,  who  is  currently  chief  infor¬ 
mation  security  officer  at  Unisys  Corp. 

For  too  long,  the  country  has  been 
focusing  on  building  a  defensive  capabil¬ 
ity  that  has  done  little  to  stop  adversaries 
from  infiltrating  government  networks 
and  supply  chain  and  distribution  sys¬ 
tems.  she  says.  "It’s  time  to  come  up  with 
some  way  of  launching  back  at  those 
that  mean  to  do  harm."  Titus  suggests. 

But  figuring  out  the  nuances  of  such 
a  strategy  can  be  tricky,  says  Kurtz. 
"There  is  some  real  work  that  needs 
to  be  done"  on  a  global  basis  to  think 
through  such  issues,  he  says.  "What  is 
an  act  of  war  in  cyberspace?  We  need 
to  have  a  far  more  substantial  dialogue 


MK’s  time  to  come  up 
with  some  way  of 
launching  back  at  those 
that  mean  to  do  harm. 


II 


biggest 
we  nave. 


SHAWN  CARPENTER.  FORMER 
NETWORK  SECURITY  ANALYST. 

SANDIA  NATIONAL  LABORATORIES 

here  in  the  United  States  and  abroad 
about  what  this  means,"  he  says,  espe¬ 
cially  because  the  means  to  do  harm  in 
cyberspace  are  not  restricted  to  gov¬ 
ernments  and  militaries. 

Countries  don't  brag  about  their 
cvberoffensive  capabilities  the  way 
they  might  “display  fighter  planes  and 
battleships.”  says  Steven  Chabinskv. 
senior  cyber  adviser  to  the  director 
of  national  intelligence.  "They  guard 

there's  no  telling  if  they  intend  to  use 
their  cyberweapons,  says  Chabinsky. 
"In  cyber,  capabilities  tend  to  get  better 
over  time,  and  intentions  can  change 

ways  the  possibility  that  a  nation  that 
wants  to  do  damage  can  simply  hijack 
or  use  capabilities  built  by  others, 
"Determining  who  the  attackers  are, 
who  the  enemies  are.  is  one  of  the  big¬ 
gest  problems  we  have  as  a  government 
and  in  the  private  sector.”  says  Shawn 
Carpenter,  a  former  network  security 
analyst  at  Sandia  National  Laboratories. 

Carpenter  was  fired  in  January  2005 
for  his  independent  probe  ofa  network 
security  breach  at  the  government 
research  facility  —  an  undertaking  in 
which  he  did  some  reverse-hacking  and 
traced  the  incident  back  to  a  Chinese  es¬ 
pionage  group  called  Titan  Rain.  Make 
no  mistake,  he  says,  the  enemy  is  already 
here,  lurking  in  sensitive  systems  and 
networks  —  in  control  of  large  botnets 
that  are  inside  financial  systems  and  the 
power  grid  —  and  it  needs  to  be  stopped. 

"My  definition  of  a  digital  Pearl  Har¬ 
bor  is  where  these  people  are  already 
here."  he  says.  "They  already  have  access 
and  are  just  sort  of  hanging  out  main¬ 
taining  their  access  for  the  time  when 
they  get  some  instruction  to  bring  down 
the  system  or  corrupt  information."  ■ 
Don  Tennantvonrributed  to  this  report. 


Wilshusen  says,  when  a  disgruntled 
employee  at  an  Australian  water- 
treatment  plant  released  about  264, 00( 
gallons  of  raw  sewage  into  nearby  riv¬ 
ers  and  parks  by  using  a  radio  transmit- 


!  before  products  are  delivered  to  agen- 
■  cies.  Implementing  security  language 
;  in  federal  acquisition  rules  is  much 
;  easier  than  forcing  regulations  down 
!  vendors' throats,  she  says. 


road  signaling  systems  up  and  down 
the  East  Coast  for  hours,  he  says. 

And  in  October  2006,  a  foreign 
hacker  broke  into  a  system  at  a  water 
filtration  plant  in  Harrisburg,  Pa.,  after 
an  employee’s  laptop  computer  was 
compromised  via  the  Internet  and  then 
used  as  an  entry  point  to  install  mal- 


tute,  a  training  and  certification  orga¬ 
nization  in  Bethesda,  Md.  "Right  now, 
there's  enormous  inefficiency”  when  it 
comes  to  security  purchases,  he  says. 

DEVELOP  AN  OFFENSIVE 
CAPABILITY 

Patti  Titus,  the  former  chief  informa- 


Countries  don’t  brag  about  their 
cyberoffensive  capabilities  the  way 
they  might  “display  fighter  planes  and 
battleships,”  says  Steven  Chabinsky, 
senior  cyber  adviser  to  the  director 
of  national  intelligence.  "They  guard 
them  in  a  very  secretive  manner,"  and 
there’s  no  telling  if  they  intend  to  use 


enormous  buying  power  to  force  tech¬ 
nology  vendors  to  improve  security. 
“When  you  spend  $71  billion  in  the  mar¬ 
ketplace,  you  should  be  very  clear  about 
what  your  requirements  are"  and  ex¬ 
pect  vendors  to  abide  by  them,  she  says. 

One  place  where  the  government 
has  successfully  done  this  is  under  the 
Federal  Desktop  Core  Configuration 
(FDCC)  initiative,  in  which  it  is  work¬ 
ing  with  Microsoft  Corp.  and  other 
technology  vendors  to  ensure  that  all 


M  It's  time  to  come  up 
with  some  way  of 
launching  back  at  those 
that  mean  to  do  harm. 


>  that  are  inside  financial  systems  and  the 
;  power  grid  — and  it  needs  to  be  stopped. 
|  “My  definition  of  a  digital  Pearl  Har- 
!  bor  is  where  these  people  are  already 
!  here,”  he  says.  “They  already  have  access 
i  and  are  just  sort  of  hanging  out  main- 
;  taining  their  access  for  the  time  when 
|  they  get  some  instruction  to  bring  down 
!  the  system  or  corrupt  information."  ■ 

!  Don  Tennant  contributed  to  this  report. 


COMPUTERWORLD 


Anywhere.  Anytime. 

Can't  get  enough  of  Computerworld? 

No  matter  where  you  are,  Computerworld  is  there. 

Keep  up  with  the  latest  technology  news  on  your  PDA. 

www.computerworld.com 


COMPUTERWORLD 


SPECIAL  REPORT 


Cybermilitias,  black  hat  hackers  and  other 
non-nation-state  bad  guys  blur  the  lines  on 
the  virtual  battlefield.  By  Don  Tennant 


HIGHER 
PERFORMANCE 
SHOULDNT 
WASTE  YOUR 
ENERGY. 


Get  the  high-performance  servers  your  company 
needs  without  having  to  worry  about  rising  energy 
costs.  Introducing  the  IBM*  System  x3650~  M2  Express, 
with  blazing  fast,  uttra-energy-efficient  Intel*  Xeon* 

5500  processors  and  the  IBM  Systems  Director 
Active  Energy  Manager”  designed  to  monitor  energy 
consumption,  so  you  can  better  plan  your  energy 
usage  andmanage  operating  costs. 


CYBERWEAPONS 


According  to  former  National  Recon¬ 
naissance  Office  official  Mike  Theis, 
terrorists  and  criminals  pose  similar 
threats  when  it  comes  to  making 
money  illegally.  Here  are  some  activi¬ 
ties  these  groups  might  undertake: 


Theft  of  trade  secrets,  intellec¬ 
tual  property  or  superior  business 
processes.  “It  could  be  some¬ 
thing  as  simple  as  your  customer 
list,  but  there  is  usually  a  lot  more 
of  value  than  that,”  Theis  says. 

Cyber-hostage-taking.  If  the 
contents  of  your  entire  hard  drive 
were  remotely  encrypted  by  a 
hacker,  would  you  pay  $100  to  get 
the  decryption  key?  Would  10,000 
people  like  you  do  the  same? 


or  regulators  from  knowing 
something  that  was  found  on 
your  computer? 

Cyberslaving.  The  perpetrator 
installs  a  back  door  or  “loader” 
on  your  machine  and  sells  it  to 
the  highest  bidder.  It  would  al¬ 
low  the  buyer  to  install  any  type 


without  being  detected.  “The  last 


still  about  $1  per  machine,"  Theis 
says.  “It's  not  uncommon  to  see 
machines  purchased  in  blocks  of 
10,000  or  more  in  order  to  launch 
a  denial-of-service  attack." 


"So  basically.”  Theis  says,  “any¬ 
thing  that  can  be  done  in  the  world  of 
brick  and  mortar  has  some  type  of  a 
cyber  equivalent." 

-DON  TENNANT 


Continued  from  page  28 

linn,  Estonia.  “But  computer  network 

defenders  should  understand  that  time. 


surprisingly,  China  and  Russia  top  the 
list  of  countries  with  highly  developed 
cyberwarfare  capabilities.  Kurtz  also 
points  to  Iran  and  North  Korea  as 
countries  with  known  cyberwarfare 
aspirations. 

While  Chabinsky  declines  to  be  spe¬ 
cific  because  of  concerns  about  compro¬ 
mising  intelligence-gathering  methods, 
he  affirms  that  the  U.S.  has  identified  “a 
number  of  sophisticated  nation-state  ac¬ 
tors  who  we  believe  have  the  capability 
to  bring  down  portions  of  our  critical  in¬ 
frastructure."  Fortunately,  he  adds,  “we 
don't  think  they  have  the  intent  to  do 
so,  [since)  our  country  would  respond 
accordingly,  and  not  necessarily  sym¬ 
metrically.  through  cyber  means.” 

On  the  other  hand,  Kurtz  notes,  gov¬ 
ernments  “would  have  more  resources 
at  their  disposal  in  order  to  disguise  or 
bury  the  true  source  of  an  attack.”  But, 

to  believe  that  a  small,  well-funded  cell 
could  not  inflict  very  serious  damage  on 
the  information  infrastructure  support¬ 
ing  the  U.S.  and  the  global  economy." 

Chabinsky  notes  that  national  gov¬ 
ernments  are  more  comfortable  grap¬ 
pling  with  the  challenge  of  deterring 
or  responding  to  cyberthreats  from 
other  countries.  “There's  a  lot  more  to 
worry  about  should  the  same  computer 
network  attack  capabilities  exist  in 
the  hands  of  irrational  or  otherwise 

Intelligence  officials  and  analysts 
agree  that  so  far,  there  has  been  little 

nized  terrorist  groups.  “Nonstate  ac¬ 
tors  such  as  al-Qaeda  probably  do  not 
possess  the  infrastructure  or  expertise 
to  attempt  a  cyberattack  that  would  ri¬ 
val  the  shock  value  of  using  bullets  and 
explosives,”  Geers  says. 

But  those  officials  and  analysts  rec¬ 
ognize  that  terrorist  groups  have  the 


M  Insider  threats  can 
take  advantage  of 
the  most  serious  vulner¬ 
abilities;  in  fact,  they 
can  create  them. 

STEVEN  CHABINSKY, 

SENIOR  CYBER  ADVISER  TO  THE 
DIRECTOR  OF  NATIONAL  INTELLIGENCE 


capable  of  attacking  our  critical  infra¬ 
structure  themselves,  “it’s  less  clear 
w-hether  they  could  find  a  hired  gun 
to  do  so,”  Chabinsky  says.  “Obviously, 
terrorist  groups  have  the  intent  to 
harm  us.  are  aware  of  the  potential 
impact  of  a  successful  cyberattack  and 
would  find  the  ability  to  attack  us  from 


impact  of  a  successful  cyberattack  and 
a  distance  quite  appealing." 

tential  “hired  guns"  are  in  an  extraor¬ 
dinarily  effective  position  to  cause 
trouble:  within  the  walls  of  corporate 

“I  think  the  primary  cyber-risk  to 

gruntled  employees  who  have  insider 
knowledge  and  access.”  Chabinsky 
says.  “Insider  threats  can  take  ad¬ 
vantage  of  the  most  serious  vulner¬ 
abilities;  in  fact,  they  can  create  them. 
Could  they  sell  their  capabilities  to  a 
terrorist  group?  Certainly." 

CRIMINAL  ELEMENT 

terrorist  groups  that  are  equipped  to 
pose  this  sort  of  threat.  In  fact,  they 
may  not  even  be  the  most  ominous 
nongovernmental  source  of  potential 
cyberdamage. 

nal  activity  provides  a  more  pervasive 
and  damaging  threat  than  organized 


■  SPECIAL  REPORT 


CYBERWEAPONS 


Continued  from  page  28 

linn,  Estonia.  “But  computer  network 

defenders  should  understand  that  time 


According  to  former  National  Recon¬ 
naissance  Office  official  Mike  Theis. 
terrorists  and  criminals  pose  similar 
threats  when  it  comes  to  making 
money  illegally.  Here  are  some  activi¬ 
ties  these  groups  might  undertake: 


that  could  be  sold  to  the  high¬ 
est  bidder  or  on  an  information 
exchange. 


tual  property  or  superior  business 

■  "It  could  be  some¬ 
thing  as  simple  as  your  customer 
list,  but  there  is  usually  a  lot  more 
of  value  than  that,"  Theis  says. 

Cyber  hostage-taking.  If  the 

contents  of  your  entire  hard  drive 
were  remotely  encrypted  by  a 
hacker,  would  you  pay  $100  to  get 
the  decryption  key?  Would  10.000 
people  like  you  do  the  same? 

Cyberblackmailing.  How  much 
would  you  pay  to  prevent  your 
family,  customers,  competitors 
or  regulators  from  knowing 
something  that  was  found  on 
your  computer? 

Cybcrslaving.  The  perpetrator 
installs  a  back  door  or  “loader" 
on  your  machine  and  sells  it  to 
the  highest  bidder.  It  would  al¬ 
low  the  buyer  to  install  any  type 
of  software  on  that  machine 
without  being  detected.  “The  last 
I  heard,  the  average  price  was 
still  about  SI  per  machine,"  Theis 
says.  “It's  not  uncommon  to  see 
machines  purchased  in  blocks  of 
10.000  or  more  in  order  to  launch 
a  denial-of-service  attack." 


“So  basically,"  Theis  says,  "any¬ 
thing  that  can  be  done  in  the  world  of 
brick  and  mortar  has  some  type  of  a 
cyber  equivalent." 

-  DON  TENNANT 


■  SPECIAL  REPORT 


A  SHORT  HISTORY  OF  HACKS, 
WORMS  AND  CYBERTERROR 


I  SECURITY  MANAGER’S  JOURNAL  MATHIAS  THURMAN  TrOUbfe 

Ticket 


Attention  to  Conficker 
Appears  to  Pay  Off 

The  notorious  worm  has  the  security 
team  putting  all  its  focus  on  protecting  the 
company’s  9,000  systems  around  the  globe. 


AT  ISSUE:  It  appears 
possible  that  the  Conficker 
worn  couldwreak  more 


ted  with  Conficker.  W 
se  both  Snort  and  Jun 
>r  intrusion  detection 


systems  around  the  globe. 


Preston  ( iralk 

Cyberwarfare' 
First  Casualty 


s 


And  unlike  in  past 
wars,  the  government  it¬ 
self  may  not  do  the  snoop¬ 
ing.  Instead,  it  Will  m'ost 
likely  let  private  industry 
do  the  dirty  work,  essen¬ 
tially  outsourcing  cyber¬ 
intelligence-gathering. 

In  warfare,  information 
is  one  of  the  most  impor¬ 
tant  weapons  in  a  govern¬ 
ment’s  arsenal.  No  matter 
the  physical  weaponry,  the 
key  to  victory  is  an  under¬ 
standing  of  the  enemy's 
intentions  and  who  and 
where  he  is.  Analyze  any 
war.  and  you'll  generally 
find  that  the  victor  had 
better  intelligence. 

As  we’ve  seen,  though, 
intelligence-gathering  is 
frequently  subject  to  abuse. 
During  the  Cold  War,  the 
CIA  and  FBI  regularly 
violated  the  rights  of  U.S. 
citizens.  More  recently,  the 
Patriot  Act  gave  legal  cover 
to  government  prying, 
and  the  National  Security 
Agency  carried  out  covert 
wiretapping  without  seek¬ 
ing  the  proper  warrants. 

The  intelligence  that 
will  be  gathered  in  the 
coming  generation  of 


HE  FIRST  CASUALTY  OF  WAR,  the  Greek 
playwright  Aeschylus  said,  is  the  truth.  But  when 
it  comes  to  cyberwarfare,  the  first  casualty  will 
most  likely  be  your  privacy. 

look  for  patterns  of  use  and 
relationships  that  would 
otherwise  escape  notice. 

To  find  those  patterns 
and  information  requires 
massive  and  constant  data- 
gathering,  on  a  scale  likely 
not  being  done  by  the  gov¬ 
ernment.  Constantly  gather¬ 
ing  that  kind  of  information 
would  probably  be  illegal. 

That’s  why  you’ll  see 
government  outsourcing 


cyberwarfare  will  dwarf 
anything  that  came  before, 
in  the  breadth  of  informa¬ 
tion  acquired,  the  ease 
with  which  it  is  gathered, 
and  the  number  of  people 
caught  in  the  net.  In 
past  wars,  a  fair  number 
of  innocent  people  had 
their  privacy  invaded.  In 
tomorrow’s  cyberwar,  it’ll 
be  virtually  everyone. 

Cyberwarfare  is  fought 
online;  its  geography  is 
virtual,  and  you’re  part  of 
it  In  physical  wars,  armies 
scout  the  countryside.  In 
cyberwars,  they’ll  scout 
the  Internet. 

The  Internet  is  made  up 
not  just  of  wires,  routers 
and  servers;  it’s  made  up  of 
the  data  crossing  it.  Those 
who  fight  cyberwars  will 

in  an  attempt  to  find  nug¬ 
gets  of  information.  They’ll 

■  In  past  wars,  a 
number  of  people 
had  their  privacy 
invaded.  In  cyber¬ 
wars,  it’ll  be 
virtually  everyone. 


companies  that  already  do 
the  work  legally  —  and  pri¬ 
marily  that  means  Google. 

I’m  not  saying  that 
Google  will  purposefully 


m  for 


the  federal  government. 
Instead,  the  govern¬ 
ment  will  legally  tap  into 
Google’s  already-in-place 
information-gathering  by 
issuing  subpoenas  on  a 
regular  basis. 

Why  Google?  Google 
already  gathers  vast 
amounts  of  information 
about  people's  browsing 
and  search  habits,  and  it 
regularly  responds  to  sub¬ 
poenas  for  that  data. 

And  the  information  that 
Google  gathers  is  about  to 


grow  exponentially,  when 
Google  Voice  expands  to 
widespread  use.  Google 
Voice  will  route  all  of 
your  calls  through  a  single 
number,  let  you  record  and 
store  calls  online,  and  offer 
transcripts  of  voice  mail.  At 
some  point,  it  will  probably 
offer  transcripts  of  all  calls 
recorded.  It  will  be  able 
to  do  that  for  your  normal 
voice  calls,  not  just  calls 
made  to  or  from  a  computer. 

You  can  be  sure  that  the 
government  will  want  to 

treasure  trove  of  informa¬ 
tion.  lust  think  about  it: 
Why  go  through  the  dif¬ 
ficult  process  of  getting 
a  phone  tap  when  it’s  so 
much  easier  to  simply  is¬ 
sue  a  subpoena  to  Google? 

Google  isn’t  alone,  of 
course;  many  other  private 
companies  —  particu¬ 
larly  ISPs  and  big  telecom 
providers  —  also  gather 
information  about  people 
online.  But  no  one  gathers 
the  amount  of  information 
about  people  that  Google 
does.  So  it  will  become 
the  government’s  biggest 
source  of  information 
about  private  citizens  in 
the  age  of  cyber  wars. 

The  upshot?  If  you  care 
about  your  privacy,  your 
best  bet  is  to  find  ways 
to  hide  your  informa¬ 
tion  from  Google.  Private 
companies,  more  than  the 
government,  will  be  the 
biggest  privacy  invaders.  ■ 
Preston  Oralla  is  a  contrib¬ 
uting  editor  for  Computer- 
world.com  and  the  author 
of  more  than  35  books, 
including  How  the  Internet 
Works  (Que,  2006). 


7.  2009 


Security:  Issues  i 


Virus  and  VulneraMy  Roundup 


Good  news  W 
travels  fast  witl^ 
Computerworld.co 
newsletters. 


* 

analysis  no 
r  day  takes  you. 

A/nrIH  r.nm/npwslpttfirs  ^ 


Sign  up  today  to  get 
minute  news  and 
matter  where  your 


www.computerworld.com/newsletters 


COMPUTERWORLD 


4 


Watch 


ASK  A  PREMIER  100  IT  LEADER 

\  lark  Burnette 

expert  in  leadership, 


two  award-winning  IT  organizations, 
surviving  the  economic  downturn 


BEST  PLACES 

TO  WORK  IN  IT 


Take  this  opportunity  to 
show  why  your  company 
is  an  employer  of  choice 
to  the  IT  community! 

Over  1,000,000  qualified  IT 
professionals  will  be  looking 
to  this  must-read  issue  for 
future  career  opportunities. 

Don’t  miss  out  on 
Computerworid’s  biggest 
and  most  anticipated  career 
issue  of  the  year! 

Issue  Date:  June  15th 
Space  Deadline:  June  1st 

For  details  contact: 

Dawn  Cora  at  508-820-8133 

dawn_cora@idgcommunications.com 


■  FRANKLY  SPEAKING 

Frank  Hav  es 


The  95%  Question 


LET’S  FORGET  ABOUT  the  software  from  that 

Oracle-Sun  deal  for  a  moment  (see  story,  page  10).  Yes, 
Oracle  loves  Java  and  Solaris  —  Oracle’s  middleware 
depends  on  Java,  and  lots  of  Oracle  databases  run 
on  Solaris*  And  yes,  Oracle  will  tolerate  MySQL.  OpenOffice, 
VirtualBox  and  other  Sun  software  products?  We’ll  see. 

But  all  told,  that’s  5%  of  Sun’s  sales.  What  about  the  hardware? 

If  you're  a  Sun  custom-  i  Brutal  competition.  i  do  not  have  to  do  it 
er.  that’s  probably  what  Hardware  is  a  commodi-  themselves.” 
you’re  worried  about.  ty,  and  Oracle  has  worked  Most  analysts  assume 


Sparc  servers  and  maybe 
shelled  out  something  for 
storage,  tape  systems  and 

workstations.  If  it  turns  I  losing  business  that  puts  I  think  it  means  O 
it  in  direct  competition  planning  to  offer 


Sure,  Oracle  says  it 
“plans  to  grow  the  Sun 
hardware  business . . . 
protecting  Sun  custom¬ 
ers’  investments  and  en¬ 
suring  the  long-term  vi¬ 
ability  of  Sun’s  products.” 
That’s  from  Oracle’s  of¬ 
ficial  FAQon  the  buyout. 

But  it’s  a  little  hard  to 
believe.  After  all,  Oracle 


know  this:  Larry  Ellison 
loves  appliances. 

Look,  here’s  Ellison  on 
the  merger:  “Oracle  will 
be  the  only  company  that 

grated  system  —  applica¬ 
tions  to  disk  —  where  all 
the  pieces  fit  and  work 
together  so  customers 

■  No  assembly 
required.  Minimal 
customization  pos¬ 
sible.  Sett-upgrad¬ 
ing,  self-managing, 
stick-it-in-a-closet 
simple.  Now  that’s 
an  appliance. 


tem  that  includes  a  data¬ 
base  and  applications, 
modeled  on  what  used 
to  be  called  the  AS/400 
—  again,  just  like  IBM. 

But  what  if  it  really 
means  that  Oracle  wants 
to  build  an  appliance? 
Not  a  database  or  stor¬ 
age  appliance,  like  the 
machines  Oracle  and  HP 
announced  last  fall,  but 
a  true  application  appli¬ 
ance,  built  from  Sparc, 
Solaris,  Oracle  and  ap¬ 
plication  software,  fully 
integrated,  tuned  and 

Say,  for  example, 
PeopleSoft-in-a-box. 

No  assembly  required. 
Minimal  customization 
possible.  Self-upgrading, 


porate  IT  shops,  but  on< 
that  would  open  up  an 
entirely  new  market  for 
Oracle:  smaller  custom¬ 
ers  who  would  gladly  p; 
extra  to  avoid  having  to 
master  the  weirdness  of 
enterprise  applications. 

That  would  let  Oracle 


servers  and  other  data 
center  hardware  alive. 

Can  Oracle  do  it?  Will 
Oracle  do  it?  I  don’t 
know,  but  Larry  Ellison 
does  love  appliances. 

He’s  been  trying  for 
years  to  make  appliances 
with  partners  —  but 
without  much  success. 
Now  Oracle  will  own  all 
the  pieces,  including  the 
hardware.  This  time,  it 
just  might  work. 

If  you're  a  corporate  IT 
shop  with  Sun  hardware, 
pray  that  it  does.  ■ 

Frank  Hayes  is  Computer- 
world’s  senior  news 
columnist.  Contact  him 
atfrank_hayes@ 


C0MPUTERW0RLD 


ALTERNATIVE  THINKING  ABOUT  CONTROL  AND  CONSOLIDATION: 


When  it  comes  to  IT,  your  universe  is  always  expanding.  Needs  increase, 
resources  are  stretched  and  options  can  be  limited.  But  now,70u  can  rethink 
how  you  control  and  optimize  your  physical  and  virtual  servers  by  integrating 
them  with  one  powerful  software  solution.  Insight  Dynamics— VSE.  Now  you 
can  increase  flexibility,  improve  cost  and  energy  efficiency,  and  simplify 
daily  operations. 


Supporting  this  technology  is  HP's  commitment  to  service  and  dependability  — 
a  point  of  difference  that  led  IDC  to  name  HP  the  #1  vendor  for  virtualization* 


Technology  for  better  business  outcomes. 


|  •  Quad-Core  AMD  Opleron™  Processor, 
with  AMD  Virtualization™  technology 
j  •  Ideal  for  general-purpose  solutions  and 
I  high-performance  computing 
•  Affordable,  modular  rack  systems  to 
give  your  IT  department  the  flexibility 
to  expand  with  your  business 


’  Quad-Core  AMD  Opteron™  Processor, 
with  AMD  Virtualization™  technology 
1  Infrastructure-in-a-box  saves  you  time, 
power  and  money  by  reducing  repetitive 
parts  and  redundant  operations 
1  Add,  replace  and  recover  resources  on 
the  fly  without  rewiring 


To  learn  more,  call  1-888-367-2308  or  visit  hp.com/servers/virtual9 


AMD,  the  AMD  arrow  logo,  AMO  Opteroo  and  combinations  thereof,  ore  trademarks  of  Advanced  Miao  Devices,  Inc. 

©  2009  Hewlett-Packard  Development  Company  L.P.  The  information  contained  herein  is  subject  to  change  without  notice. 
‘Source:  IDC  Quarterly  Server  Virtualization  Tracker,  October  2008. 


